The College of Physicians and Surgeons of Nova Scotia (the “College”) is committed to maintaining the confidentiality and security of personal information. We are responsible for all personal information, including personal health information, that is entrusted to us.
What is Personal Information?
Personal information is any information about an identifiable individual, or information that when combined with other, readily available information, may identify an individual. Personal information that the College collects, uses or discloses may include member names, addresses, telephone numbers, e-mail addresses, credit card information, or other contact information and personally identifiable data, date of birth, social insurance number, age, marital and financial status, race, national or ethnic origin, and religion. It also includes opinions about that individual.
What is Personal Health Information?
Personal health information for the purpose of this policy is identifying information about a patient or a physician and includes demographic information (name, address, date of birth), health card number and information related to a patient or physician’s physical and mental health care. Personal health information can be documented and undocumented and continues to be protected after a patient or physician is deceased. Information that identifies a person who provided healthcare to a patient is that patient’s personal health information.
In this policy, any reference to personal information includes personal health information.
The ten principles of the CSA Model Code as applied by the College
The College is accountable for all personal information under its control, including information which it may transfer to a third party. The College collects, uses and discloses information in accordance with its obligations under the Nova Scotia Medical Act 3 and the CSA Model Code. College staff are trained in standards and guidelines with respect to privacy and confidentiality.
To fulfill this purpose, the College has designated an individual as a Privacy Officer who is responsible for everyday operation and control of personal information as well as the College’s compliance with this Policy.
2. Identifying Purposes:
The College is required, pursuant to the Nova Scotia Medical Act3, to regulate the practice of medicine in the province with due regard to the public interest. The College uses personal information of its members and patients to carry out this function. The purposes for which the College collects, uses and discloses personal information include:
- Membership application
- All regulatory purposes
- Registration and licensing
- Credentials verification and assessment
- Incorporation membership
- Record of membership and licensees / member status
- Administration of the Physician Health Program
- Providing information to other entities, including Nova Scotia Health, the IWK, Dalhousie University, or any other entity through which physicians in Nova Scotia may operate, to address issues of physician health and wellness or other issues that need to be addressed in fulfillment of the College’s objects
- Peer Review
- Complaints and investigations (policies and practices related to confidentiality of the complainant and the physician as set out in the College’s publication policies)
- Assessment of competence and/or performance
- Communication with members
- Establishing and maintaining updated physician listings to publish on the College website and make available to inquirers
- Administering and facilitating members’ affiliations with the Canadian Medical Association, Dalhousie University, relevant Nova Scotia government departments and health authorities, the Medical Services Insurance Program (MSI), Doctors Nova Scotia, the Medical Identification Number for Canada (MINC), other medical regulatory authorities and any other entities with which a member has or seeks to have an affiliation.
- Demographics: research, analysis, and planning
- Providing information and documents to third parties as needed to fulfill the College’s objects
- Providing information to other regulatory bodies
- Compiling Statistics
- Payment of annual fee
If the College wishes to use personal information for a purpose not identified, the new purpose will be identified and the College will seek consent of the individual prior to use, unless required or permitted by law.
a) Members’ Personal Information
The College is dedicated to making members aware of the purposes for which their personal information is gathered, the use of the information and reasons for disclosure. Unless required or permitted by the Medical Act or other applicable law, the College obtains consent from members for the collection, use and disclosure of personal information. In certain circumstances, the consent for the individual can be obtained after collection of the information, but before use and disclosure.
The College will not, as a condition of the supply of goods or services, require that an individual consent to the collection, use, or disclosure of information beyond what is required for legitimate and communicated purposes. Some information related to licensing, competence and professional development must be provided as a condition of obtaining and maintaining one’s professional status.
There may be circumstances where consent may be implied by the circumstances. In such cases, the purpose for the collection and use of personal information must be apparent and the College may only use the personal information for the apparent purpose. In such a case, the College will not use that information for any other purpose.
The law provides certain exceptions to the usual requirement to obtain an individual’s consent. For example, an organization may collect and use personal information in circumstances where the collection and/or use of such information is clearly in the interests of the individual and consent cannot be obtained in a timely way. Similarly, personal information may be collected and used without the consent of the individual if the information is reasonably required to investigate a breach of an agreement, a violation of the law or investigations related to professional discipline and there is reason to believe that obtaining consent may compromise the availability or accuracy of such information.
Members can withdraw consent anytime for the retention and use of personal information, but only to the extent that such consent withdrawal does not affect the ability of the College to carry out its statutory functions. The College will inform the member of the implications of such withdrawal.
b) Personal Health Information
Regulatory bodies like the College are not custodians of personal health information under the Personal Health Information Act (PHIA). This means that even though the College may collect and use personal health information about individuals, it is not governed by PHIA, as it does not collect personal health information for the purpose of health care or the planning and management of the health system.2 The College does not need to obtain consent from patients for the College’s collection, use and disclosure of their personal information relating to an investigation of a complaint, subject to the statements below.
Where a complainant is not the patient, the College will obtain consent of the patient to share relevant records with the complainant.
Further, when the complainant is not the patient and the patient is deceased or does not have capacity to consent, the College seeks the consent from the legally authorized representative of the patient to share the patient’s personal health information with the complainant. If the consent is not forthcoming, the personal health information will not be shared with the complainant.
4. Limiting Collection:
The College collects personal information and personal health information only to the extent necessary for the purposes identified. Personal information is collected in a fair and lawful manner.
5. Limiting Use, Disclosure and Retention:
a) Members’ Personal Information
The College does not sell or trade member personal information to third parties. Personal information is only used or disclosed for the purpose for which it was collected with the consent of the member, or as required or permitted by law.
The personal information of the member is retained as long as it is considered necessary according to the College’s Document Retention policy.
b) Patients’ Personal Health Information
As per Section 45 of the Personal Health Information Act6 an (organization) that is not a custodian is authorized to collect the personal health information that a custodian may disclose to it, but that (organization) does not become a custodian merely by virtue of its collection of the personal health information that the custodian has disclosed to it.
The College will not disclose personal health information for any purpose other than the purpose for which it was authorized to disclose the information. In addition, the College will not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, unless the disclosure is required by law.
The College is dedicated to maintaining personal information in a form that is accurate, complete and current as is necessary for the fulfillment of the College’s purposes. Members are encouraged to contact the College and update any changes in their personal information. The College will correct or amend personal information that is shown to be incomplete or inaccurate.
The College takes reasonable steps to protect personal information against loss, unauthorized access, use, disclosure and alteration, no matter what form the information is in (for example, electronic version or physical copies).
The safeguards used by the College include:
- The College collects and stores personal patient and or complainant information on the website. This information is manually purged on a weekly basis and has security processes in place regarding data collection and removal from the system.
- Physical Measures: Locked filing cabinets, keypads or locks to restricted areas, alarm system in the office.
- Organizational Measures: Employees’ training, confidentiality agreements, limited access on “need to know” basis.
- Technological Measures: Use of security software, password, firewall and encryption.
- Destruction Measures: Records and documents of the members are destroyed in a confidential manner (e.g., shredding of paper records, wiped clean/deleting of discs and physical destruction of hard drives).
- Third party obligations: Contractual privacy agreement with third parties. To ensure the protection of your personal information, third parties enter into a legal contract and confidentiality agreement before the College uses their services.
The College is open about its policies and procedures and will provide members with specific information relating to the maintenance of personal information. These policies are available by contacting the College’s Privacy Officer.
9. Individual Access:
Members may contact the Privacy Officer at any time to discuss access to their own personal information. Upon written request, access will be provided, except as outlined below. A small fee may be applied to cover the cost of administration. Where legal or regulatory requirements prevent allowing access to personal information, the College will provide you with the reasons for denial of access.
10. Challenging Compliance:
If you visit our website (https://cpsns.ns.ca/) certain information is collected from you automatically, as described below.
1. IP Address:
Web servers automatically collect certain information when you visit a website, including your Internet Protocol (IP) address. IP addresses are unique numbers Internet Service Providers (ISP) assign to all devices accessing the Internet. The IP address, on its own, may not identify you as an individual. However, in certain circumstances, such as with the co-operation of an ISP for example, it can identify an individual. For this reason, the College considers IP address as personal information, particularly when combined with other data automatically collected such as the page or pages visited, date and time of the visit, etc.
3. Web analytics:
Web analytics is the collection, analysis, measurement, and reporting of data about web traffic and visits for purposes of understanding and optimizing web usage.
When your computer requests a College web page, we collect the following types of information for web analytics using digital markers:
- the originating IP address
- the date and time of the request
- the type of browser used
- the page(s) visited
Information we collect and use for the purpose of web analytics is in accordance with our mandate under the Health Professions Act. We may use such data to improve the College’s website as well as for communications and information technology statistical purposes, audit, evaluation, research, planning and reporting.
We do not disclose this information to any external third-party service providers.
4. Links to other websites
Ms. Tricia Crease, Privacy Officer
College of Physicians and Surgeons of Nova Scotia
400-175 Western Parkway Bedford, NS B4B 0V1
Phone: (902) 421-2200, Fax: (902) 422-5035
- Canadian Standard Association Model Code for the Protection of Personal Health Information
- Toolkit for Custodians: A Guide to the Personal Health Information Act
- Nova Scotia Medical Act 2011
- Personal Information Protection and Electronic Documents Act
- E-health Privacy and Security Guide, Doctors Nova Scotia January 2021
- Personal Health Information Act (PHIA 2012)